AAEAAQAAAAAAAANgAAAAJGE5NTRmYzBkLTBkMzQtNGY3NS1iNzcxLWVlZWM1NDM5YzM4ZgIn light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council1 (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Compliance is now mandatory for all financial institutions and involves comprehensive configuration controls that allow for thorough assessment and evaluation, rigorous change detection and detailed reporting. The tool’s use is optional for now but may be used by regulators in 2016.

Benefits to the Institution

For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by doing the following:

  • Identifying factors contributing to and determining the institution’s overall cyber risk.
  • Assessing the institution’s cybersecurity preparedness.
  • Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks.
  • Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state.
  • Informing risk management strategies.

CEO and Board of Directors

The role of the chief executive officer (CEO), with management’s support, may include the responsibility to do the following:

  • Develop a plan to conduct the Assessment.
  • Lead employee efforts during the Assessment to facilitate timely responses from across the institution. • Set the target state of cybersecurity preparedness that best aligns to the board of directors’ (board) stated (or approved) risk appetite.
  • Review, approve, and support plans to address risk management and control weaknesses.
  • Analyze and present results for executive oversight, including key stakeholders and the board, or an appropriate board committee.
  • Oversee the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk.
  • Oversee changes to maintain or increase the desired cybersecurity preparedness. The role of the board, or an appropriate board committee, may include the responsibility to do the following:
  • Engage management in establishing the institution’s vision, risk appetite, and overall strategic direction.
  • Approve plans to use the Assessment.
  • Review management’s analysis of the Assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results.
  • Review management’s determination of whether the institution’s cybersecurity preparedness is aligned with its risks.
  • Review and approve plans to address any risk management or control weaknesses.
  • Review the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyber threats.

The Cybersecurity Assessment Tool provides a way for institution management to assess an institution’s inherent risk profile and cybersecurity maturity to inform risk management strategies. It is very important for institutions of all sizes to take a risk based approach and understand the tool’s rationale and implications.